Phishing campaign ranker

ABSTRACT

According to one embodiment, an apparatus includes a memory and a processor. The memory is configured to store a plurality of phishing scores, each phishing score of the plurality of phishing scores indicating a likelihood that a user will delete a phishing email. The processor is configured to determine that a plurality of phishing campaigns are occurring. For each phishing campaign of the plurality of phishing campaigns, the processor is configured to determine that a plurality of users deleted a phishing email of the phishing campaign and to determine a priority score for the phishing campaign based on the phishing score of each user of the plurality of users. The processor is further configured to rank the plurality of phishing campaigns based on the priority score of each phishing campaign, wherein the phishing campaign of the plurality of phishing campaigns with the highest rank is presented first.

TECHNICAL FIELD

This disclosure relates generally to a system for handling phishingemails.

BACKGROUND

Phishing emails and phishing campaigns place computing systems andnetworks at risk.

SUMMARY OF THE DISCLOSURE

According to one embodiment, an apparatus includes a memory and aprocessor. The memory is configured to store a plurality of phishingscores, each phishing score of the plurality of phishing scoresindicating a likelihood that a user will delete a phishing email. Theprocessor is configured to determine that a plurality of phishingcampaigns are occurring. For each phishing campaign of the plurality ofphishing campaigns, the processor is configured to determine that aplurality of users deleted a phishing email of the phishing campaign andto determine a priority score for the phishing campaign based on thephishing score of each user of the plurality of users. The processor isfurther configured to rank the plurality of phishing campaigns based onthe priority score of each phishing campaign, wherein the phishingcampaign of the plurality of phishing campaigns with the highest rank ispresented first.

According to another embodiment, a method includes storing, by a memory,a plurality of phishing scores, each phishing score of the plurality ofphishing scores indicating a likelihood that a user will delete aphishing email and determining, by a processor, that a plurality ofphishing campaigns are occurring. For each phishing campaign of theplurality of phishing campaign, the method includes determining, by theprocessor, that a plurality of users deleted a phishing email of thephishing campaign and determining, by the processor, a priority scorefor the phishing campaign based on the phishing score of each user ofthe plurality of users. The method further includes ranking theplurality of phishing campaigns based on the priority score of eachphishing campaign, wherein the phishing campaign of the plurality ofphishing campaigns with the highest rank is presented first.

According to another embodiment, a system includes a plurality of usersand a phishing management device configured to store, by a memory, aplurality of phishing scores, each phishing score of the plurality ofphishing scores indicating a likelihood that a user will delete aphishing email. The phishing management device is further configured todetermine, by a processor communicatively coupled to the memory, that aplurality of phishing campaigns are occurring. For each phishingcampaign of the plurality of phishing campaigns, the phishing managementdevice is configured to determine, by the processor, that a plurality ofusers deleted a phishing email of the phishing campaign and todetermine, by the processor, a priority score for the phishing campaignbased on the phishing score of each user of the plurality of users. Thephishing management device is further configured to rank the pluralityof phishing campaigns based on the priority score of each phishingcampaign, wherein the phishing campaign of the plurality of phishingcampaigns with the highest rank is presented first.

Certain embodiments may provide one or more technical advantages. Forexample, an embodiment may reduce the effectiveness of phishingcampaigns. Certain embodiments may include none, some, or all of theabove technical advantages. One or more other technical advantages maybe readily apparent to one skilled in the art from the figures,descriptions, and claims included herein.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present disclosure, referenceis now made to the following description, taken in conjunction with theaccompanying drawings, in which:

FIG. 1 illustrates a system for handling phishing emails;

FIG. 2 illustrates ranking phishing campaigns using the system of FIG.1; and

FIG. 3 is a flowchart illustrating a method of ranking phishingcampaigns using the system of FIG. 1.

DETAILED DESCRIPTION

Embodiments of the present disclosure and its advantages are bestunderstood by referring to FIGS. 1 through 3 of the drawings, likenumerals being used for like and corresponding parts of the variousdrawings.

Phishing scams place computing systems and networks at substantial risk.Phishing typically involves the sending of emails and/or messages thatattempt to deceive the recipient into providing personally identifiableinformation, passwords, and any other information that, when known by anunauthorized party, may threaten the security of the system and/ornetwork. Phishing may also involve sending emails and/or messages thatdeceive the recipient into installing viruses and/or worms onto therecipient's device. Because the success of a phishing scam may depend onthe response of only one recipient and because the number of recipientsmay be large, it may be difficult to prevent a phishing scam fromjeopardizing the security of a system and/or network. For example, if aphishing email is sent to one thousand users on a network it may bedifficult to ensure that all one thousand users do not fall victim tothe phishing email.

This disclosure provides a system that may reduce the effectiveness ofphishing scams and phishing campaigns. For example, the system may rankphishing campaigns based on a number of users who deleted phishingemails of those phishing campaigns. The system will be describedgenerally using FIG. 1. The various functions performed by the systemwill be described in more detail using FIGS. 2 and 3. Although thisdisclosure primarily describes phishing within the context of email,this disclosure contemplates phishing scams within any messaging contextincluding text messaging, chat messaging, and/or any other appropriatemessaging scheme.

FIG. 1 illustrates a system 100 for handling phishing emails. Asprovided in FIG. 1, system 100 includes users 105A, 105B and 105C,devices 110A, 110B, and 110C, network 115, mail server 120, and phishingmanagement device 140. The components of system 100 may becommunicatively coupled to each other through network 115. For ease ofillustration, the number of illustrated components of system 100 islimited, but this disclosure contemplates system 100 including anynumber of users 105, devices 110, networks 115, mail servers 120, andphishing management devices 140.

A user 105 may use device 110 to perform various functions related toemail. For example, user 105 may use device 110 to compose email, reademail, reply and/or forward email, and/or delete email. This disclosurecontemplates device 110 being any appropriate device for sending andreceiving communications over network 115. As an example and not by wayof limitation, device 110 may be a computer, a laptop, a wireless orcellular telephone, an electronic notebook, a personal digitalassistant, a tablet, or any other device capable of receiving,processing, storing, and/or communicating information with othercomponents of system 100. Device 110 may also include a user interface,such as a display, a microphone, keypad, or other appropriate terminalequipment usable by user 105. In some embodiments, an applicationexecuted by device 110 may perform the functions described herein.

Network 115 may facilitate communication between and amongst the variouscomponents of system 100. This disclosure contemplates network 115 beingany suitable network operable to facilitate communication between thecomponents of system 100. Network 115 may include any interconnectingsystem capable of transmitting audio, video, signals, data, messages, orany combination of the preceding. Network 115 may include all or aportion of a public switched telephone network (PSTN), a public orprivate data network, a local area network (LAN), a metropolitan areanetwork (MAN), a wide area network (WAN), a local, regional, or globalcommunication or computer network, such as the Internet, a wireline orwireless network, an enterprise intranet, or any other suitablecommunication link, including combinations thereof, operable tofacilitate communication between the components.

Mail server 120 may handle the email traffic of system 100. As providedin FIG. 1, mail server 120 may include a processor 125 and a memory 130.Processor 125 and memory 130 may be communicatively coupled to eachother. This disclosure contemplates processor 125 and memory 130 beingconfigured to perform any of the functions of mail server 120 describedherein. For example, processor 125 and memory 130 may be configured toreceive email and/or store email.

Processor 125 may execute software stored on memory 130 to perform anyof the functions described herein. Processor 125 may control theoperation and administration of mail server 120 by processinginformation received from network 115, device 110, and memory 130.Processor 125 may include any hardware and/or software that operates tocontrol and process information. Processor 125 may be a programmablelogic device, a microcontroller, a microprocessor, any suitableprocessing device, or any suitable combination of the preceding.

Memory 130 may store, either permanently or temporarily, data,operational software, or other information for processor 125. Memory 130may include any one or a combination of volatile or non-volatile localor remote devices suitable for storing information. For example, memory130 may include random access memory (RAM), read only memory (ROM),magnetic storage devices, optical storage devices, or any other suitableinformation storage device or a combination of these devices. Thesoftware represents any suitable set of instructions, logic, or codeembodied in a computer-readable storage medium. For example, thesoftware may be embodied in memory 130, a disk, a CD, or a flash drive.In particular embodiments, the software may include an applicationexecutable by processor 125 to perform one or more of the functionsdescribed herein.

Mail server 120 may manage the email traffic of system 100. For example,mail server 120 may receive an email 135. Mail server 120 may thendetermine which user 105 is the intended recipient of email 135. Mailserver 120 may then deliver email 135 to the appropriate device 110.Mail server 120 may also store email 135. When a user 105 uses device110 to reply, forward, and/or delete email 135, mail server 120 mayreceive a command from the device 110. Mail server 120 may then respondappropriately to the command.

Phishing management device 140 may track and/or handle phishing emailsreceived by system 100. As provided in FIG. 1, phishing managementdevice 140 includes a processor 145 and a memory 150. This disclosurecontemplates processor 145 and memory 150 being configured to performany of the functions of phishing management device 140 described herein.Processor 145 may be communicatively coupled to memory 140.

Processor 145 may execute software stored on memory 150 to perform anyof the functions described herein. Processor 145 may control theoperation and administration of phishing management device 140 byprocessing information received from network 115, device 110, and memory150. Processor 145 may include any hardware and/or software thatoperates to control and process information. Processor 145 may be aprogrammable logic device, a microcontroller, a microprocessor, anysuitable processing device, or any suitable combination of thepreceding.

Memory 150 may store, either permanently or temporarily, data,operational software, or other information for processor 145. Memory 150may include any one or a combination of volatile or non-volatile localor remote devices suitable for storing information. For example, memory150 may include random access memory (RAM), read only memory (ROM),magnetic storage devices, optical storage devices, or any other suitableinformation storage device or a combination of these devices. Thesoftware represents any suitable set of instructions, logic, or codeembodied in a computer-readable storage medium. For example, thesoftware may be embodied in memory 150, a disk, a CD, or a flash drive.In particular embodiments, the software may include an applicationexecutable by processor 145 to perform one or more of the functionsdescribed herein.

Phishing management device 140 may perform various functions to reducethe effectiveness of phishing scams and phishing campaigns. For example,system 100 may rank phishing campaigns. System 100 may rank phishingcampaigns based on phishing scores of certain users and how those usershandle particular phishing emails. By ranking phishing campaigns, system100 may allow an administrator to determine which phishing campaignshould be addressed and/or handled first. Ranking phishing campaigns isdiscussed in more detail using FIGS. 2 and 3.

FIGS. 2 and 3 illustrate ranking phishing campaigns using the system 100of FIG. 1. In some instances, phishing emails are not isolated events.Sometimes, phishing emails are part of a larger phishing campaigninvolving multiple or a series of phishing emails. Due to the scope andduration of phishing campaigns, it may be resource intensive for anadministrator to handle them.

System 100 may provide a ranking of phishing campaigns that theadministrator may follow. For example, the administrator may choose tohandle the highest ranked campaign first. In particular embodiments, theranking may indicate the threat posed by the campaign. By using system100, the administrator may be able to devote immediate attention to thecampaigns that pose the greatest threat.

FIG. 2 illustrates ranking phishing campaigns using the system 100 ofFIG. 1. As provided in FIG. 2, phishing management device 140 mayprovide a ranking 840 of a plurality of phishing campaigns 810, 815 and820. Rankings 840 may indicate which phishing campaign 810, 815, or 820poses the greatest threat to system 100. For clarity, certain elementsof system 100 have not been illustrated in FIG. 2, but their omissionshould not be construed as their elimination from system 100.

Phishing management device 140 may determine that a plurality ofphishing campaigns 810, 815 and 820 are occurring. In particularembodiments, phishing management device 140 may make this determinationbased on phishing emails reported by one or more of users 105A, 105B,and 105C. Each phishing campaign 810, 815 and 820 may involve one ormore phishing emails. By ranking phishing campaigns 810, 815 and 820,phishing management device 140 may provide an administrator insight intowhich campaign should be reviewed and/or handled first. This disclosurecontemplates phishing management device 140 detecting and/or ranking anyappropriate number of phishing campaigns.

Phishing management device 140 may store a plurality of phishing scores805 in memory 150. Phishing scores 805 may correspond to users 105A,105B and 105C. This disclosure contemplates phishing management device140 storing any appropriate number of phishing scores 805 for anyappropriate number of users 105. Each phishing score 805 may indicatehow likely a user 105 will respond to a phishing email. For example, ifa user's 105 phishing score 805 is high, it may indicate that that user105 is likely to respond to a phishing email. If a user's 105 phishingscore 805 is low, it may indicate that that user 105 is not likely torespond to a phishing email.

For example, phishing management device 140 may send one or more fakeand/or training phishing emails to a plurality of users 105. Based onhow each user 105 responds to the fake and/or training phishing emails,phishing management device 140 may determine how likely it is that eachuser will respond to a phishing email in the future. Phishing managementdevice 140 may then assign phishing scores 805 based on this determinedlikelihood. Phishing management device 140 may vary the number of users105 that receive fake and/or training phishing emails to achieve moreaccurate results. Phishing management device 140 may also vary the typeor content of fake and/or training phishing emails to achieve moreaccurate results. In particular embodiments, system 100 may rankphishing campaigns by correlating the plurality of responses of therecipients of the phishing campaign to the plurality of responses by thesame recipients in prior simulated phishing tests.

In particular embodiments, phishing scores 805 may be determined byanalyzing a deletion rate of a plurality of users 105A, 105B and 105C toa plurality of phishing emails. For example, if a user 105A deletesphishing emails frequently then phishing score 805 may be lower for user105A because user 105A has demonstrated that he is not likely to respondto a phishing email. On the other hand and as another example, if user105C has a low deletion rate for phishing emails, then phishing score805 may be higher for user 105C because use 105C has demonstrated thathe is likely to respond to a phishing email.

Phishing management device 140 may use phishing scores 805 to determinepriority scores 825, 830 and 835 for phishing campaigns 810, 815 and820. Each priority score 825, 830 and 835 may indicate how great athreat is posed by a particular phishing campaign 810, 815 and 820. Forexample, if phishing campaign 810 has a high priority score 825 it mayindicate that phishing campaign 810 poses a large threat. As anotherexample, if phishing campaign 815 has a low priority score 830, it mayindicate that phishing campaign 815 poses a small threat. In particularembodiments, phishing management device 140 may use phishing scores 805to determine priority scores 825, 830 and 835. For example, if user 105Ahas a low phishing score 805 (indicating that user 105A is not likely torespond to a phishing email), and phishing management device 140determines that user 105A responded to a phishing email of phishingcampaign 810, then phishing management device 140 may determine thatphishing campaign 810 should be assigned a high priority score 825. Onthe other hand, if phishing score 805 indicates that user 105B is likelyto respond to a phishing email, and phishing management device 140determines that user 105B did not respond to a phishing email ofphishing campaign 815, then phishing management device 140 may determinethat phishing campaign 815 should be assigned a low priority score 830.This disclosure contemplates phishing management device 140 assigningany appropriate priority score in any appropriate manner.

In particular embodiments, phishing management device 140 may determinepriority scores 825, 830 and 835 based on actions performed by users105A, 105B and 105C when they received phishing emails associated withphishing campaigns 810, 815 and 820. For example, phishing managementdevice 140 may determine that users 105A and 105B deleted phishingemails associated with phishing campaign 815. Phishing management device140 may then analyze phishing scores 805 associated with users 105A and105B. If phishing scores 805 indicate that users 105A and 105B arelikely to respond to phishing emails, then phishing management device140 may assign phishing campaign 815 a lower priority score becauseusers 105A and 105B, who are likely to respond to phishing emails,deleted the phishing emails associated with phishing campaign 815. Thisindicates that phishing campaign 815 probably does not present a largethreat. On the other hand and as another example, if user 105C respondsto a phishing email associated with phishing campaign 820 and phishingscore 805 associated with user 105C indicates that user 105C is notlikely to respond to a phishing email, then phishing management device140 may determine that phishing campaign 820 should be assigned a higherpriority score 835 because a user 105C, who is not likely to respond toa phishing email, responded to the phishing email associated withphishing campaign 820. This indicates that phishing campaign 820probably presents a large threat. Therefore, in both of these examples,the priority scores are inversely proportional to the phishing scores ofthe users.

In particular embodiments, priority scores 825, 830 and 835 may be basedon the number of emails associated with phishing campaigns 810, 815 and820. For example, if phishing campaign 810 is associated with a largenumber of phishing emails, priority score 825 may be high because alarge number of phishing emails sent as part of phishing campaign 810increases the threat presented by phishing campaign 810. On the otherhand and as another example, if phishing campaign 820 is associated witha low number of phishing emails, then priority score 835 may be lowerbecause a low number of phishing emails presents a lower threat.

In particular embodiments, priority scores 825, 830 and 835 may be basedon a response rate to phishing emails associated with phishing campaigns810, 815 and 820. For example, if emails associated with phishingcampaign 810 have high response rates, then priority score 825 may behigher because if more users are responding to the phishing emailsassociated with phishing campaign 810, then phishing campaign 810presents a larger threat. On the other hand and as another example, ifphishing emails associated with phishing campaign 820 have a lowresponse rate, then priority score 835 may be lower because if a lowernumber of users is responding to phishing emails associated withphishing campaign 820, then phishing campaign 820 presents a lowerthreat.

Phishing management device 140 may rank phishing campaigns 810, 815 and820 using priority scores 825, 830 and 835. In particular embodiments,phishing management device 140 may give the highest rank to the phishingcampaign with the highest priority score. In such instances the highpriority score may indicate that the phishing campaign poses a largethreat. This disclosure contemplates phishing management device 140ranking phishing campaigns in any appropriate order. For example,phishing management device 140 may give the highest ranking to thephishing campaign that poses the least threat.

In certain embodiments, phishing management device 140 or anadministrator may ignore phishing campaigns that are ranked low. Forexample, the lowest ranking campaign may be ignored because it presentsthe least or lowest threat to system 100. In this instance, phishingmanagement device 140 may not include the lowest ranked campaign inrankings 840. As another example, the administrator may not handle thelowest ranked campaign.

In particular embodiments, by ranking phishing campaigns, system 100 mayallow an administrator to respond to a phishing campaign that poses agreat threat rather than a phishing campaign that poses a small threat.Ranking phishing campaigns may also allow an administrator to determinewhich campaigns may be ignored.

FIG. 3 is a flowchart illustrating a method 1000 of ranking phishingcampaigns using the system 100 of FIG. 1. In particular embodiments,phishing management device 140 may perform method 1000.

Phishing management device 140 may begin by determining that a pluralityof phishing campaigns are occurring in step 1005. Phishing managementdevice 140 may then determine a plurality of users that deleted aphishing email of the phishing campaign in step 1010. In step 1015,phishing management device 140 may determine a priority score for thephishing campaign based on a phishing score of each of the plurality ofusers. For example, if the phishing scores of the plurality of usersthat deleted the phishing email indicate that the plurality of users islikely to respond to phishing emails, then phishing management device140 may assign a lower priority score for the phishing campaign.

In step 1020, phishing management device 140 may determine if there isanother campaign in the plurality of phishing campaigns. If there isanother campaign, phishing management device 140 may return to step1010. If there is not another campaign, phishing management device 140may rank the campaigns based on their priority scores in step 1025.

In particular embodiments, by ranking phishing campaigns using methods900 and 1000, system 100 may allow an administrator to respond to aphishing campaign that poses a great threat rather than a phishingcampaign that poses a small threat. Ranking phishing campaigns may alsoallow an administrator to determine which campaigns may be ignored.

Modifications, additions, or omissions may be made to method 1000depicted in FIG. 3. Method 1000 may include more, fewer, or other steps.For example, steps may be performed in parallel or in any suitableorder. While discussed as phishing management device 140 performing thesteps, any suitable component of system 100, such as device 110 forexample, may perform one or more steps of the method.

This disclosure contemplates users 105A, 105B and 105C responding tophishing emails in any appropriate manner. For example, users 105A, 105Band 105C may respond to a phishing email by clicking a link in thephishing email. As another example, users 105A, 105B and 105C mayrespond to a phishing email by replying to it. As another example, users105A, 105B and 105C may respond to a phishing email by opening anattachment in the phishing email. As further examples, users 105A, 105B,and 105C may respond by forwarding the phishing email, deleting thephishing email, opening the phishing email, opening the phishing email,reading the phishing email, opening an attachment in the phishing email,calling a phone number in the phishing email, and/or reporting thephishing email.

Modifications, additions, or omissions may be made to system 100 withoutdeparting from the scope of the invention. For example, phishingmanagement device 14 may be a distributed system. As another example,the components of system 100 may be integrated or separated. Forexample, mail server 120 may be incorporated into phishing managementdevice 140, and vice versa.

Although the present disclosure includes several embodiments, a myriadof changes, variations, alterations, transformations, and modificationsmay be suggested to one skilled in the art, and it is intended that thepresent disclosure encompass such changes, variations, alterations,transformations, and modifications as fall within the scope of theappended claims.

What is claimed is:
 1. An apparatus comprising: a memory configured tostore a plurality of phishing scores, each phishing score of theplurality of phishing scores indicating a likelihood that a user willdelete a phishing email; and a processor communicatively coupled to thememory, the processor configured to: determine that a plurality ofphishing campaigns are occurring; for each phishing campaign of theplurality of phishing campaigns: determine that a plurality of usersdeleted a phishing email of the phishing campaign; determine that aplurality of users fell victim to the phishing email of the phishingcampaign; and determine a priority score for the phishing campaign basedon the phishing score of each user of the plurality of users who deletedthe phishing email, on the phishing score of each user of the pluralityof users who fell victim to the phishing email, and on a number ofphishing emails sent as part of the phishing campaign; and rank theplurality of phishing campaigns based on the priority score of eachphishing campaign, wherein the phishing campaign of the plurality ofphishing campaigns with the highest rank is presented first.
 2. Theapparatus of claim 1, wherein the priority score for each phishingcampaign is inversely proportional to the phishing score of a user ofthe plurality of users.
 3. The apparatus of claim 1, wherein theplurality of phishing scores are determined by analyzing a deletion rateof a plurality of users to a plurality of phishing emails.
 4. Theapparatus of claim 1, wherein the phishing campaign of the plurality ofphishing campaigns with the lowest ranking is ignored.
 5. The apparatusof claim 1, wherein for each phishing campaign, the determination of thepriority score for the campaign is further based on a response rate tothe phishing email of the phishing campaign.
 6. A method comprising:storing, by a memory, a plurality of phishing scores, each phishingscore of the plurality of phishing scores indicating a likelihood that auser will delete a phishing email; and determining, by a processor, thata plurality of phishing campaigns are occurring; for each phishingcampaign of the plurality of phishing campaigns: determining, by theprocessor, that a plurality of users deleted a phishing email of thephishing campaign; determining that a plurality of users fell victim tothe phishing email of the phishing campaign; and determining, by theprocessor, a priority score for the phishing campaign based on thephishing score of each user of the plurality of users who deleted thephishing email, on the phishing score of each user of the plurality ofusers who fell victim to the phishing email, and on a number of phishingemails sent as part of the phishing campaign; and ranking the pluralityof phishing campaigns based on the priority score of each phishingcampaign, wherein the phishing campaign of the plurality of phishingcampaigns with the highest rank is presented first.
 7. The method ofclaim 6, wherein the priority score for each phishing campaign isinversely proportional to the phishing score of a user of the pluralityof users.
 8. The method of claim 6, wherein the plurality of phishingscores are determined by analyzing a deletion rate of a plurality ofusers to a plurality of phishing emails.
 9. The method of claim 6,wherein the phishing campaign of the plurality of phishing campaignswith the lowest ranking is ignored.
 10. The method of claim 6, whereinfor each phishing campaign, the determination of the priority score forthe campaign is further based on a response rate to the phishing emailof the phishing campaign.
 11. A system comprising: a plurality of users;and a phishing management device comprising: a memory configured tostore a plurality of phishing scores, each phishing score of theplurality of phishing scores indicating a likelihood that a user willdelete a phishing email; and a processor communicatively coupled to thememory and configured to: determine that a plurality of phishingcampaigns are occurring; for each phishing campaign of the plurality ofphishing campaigns: determine that a plurality of users deleted aphishing email of the phishing campaign; determine that a plurality ofusers fell victim to the phishing email of the phishing campaign; anddetermine a priority score for the phishing campaign based on thephishing score of each user of the plurality of users who deleted thephishing email, on the phishing score of each user of the plurality ofusers who fell victim to the phishing email, and on a number of phishingemails sent as part of the phishing campaign; and rank the plurality ofphishing campaigns based on the priority score of each phishingcampaign, wherein the phishing campaign of the plurality of phishingcampaigns with the highest rank is presented first.
 12. The system ofclaim 11, wherein the priority score for each phishing campaign isinversely proportional to the phishing score of a user of the pluralityof users.
 13. The system of claim 11, wherein the plurality of phishingscores are determined by analyzing a deletion rate of a plurality ofusers to a plurality of phishing emails.
 14. The system of claim 11,wherein the phishing campaign of the plurality of phishing campaignswith the lowest ranking is ignored.
 15. The system of claim 11, whereinfor each phishing campaign, the determination of the priority score forthe campaign is further based on a response rate to the phishing emailof the phishing campaign.